Nov 23, 2014

A Virtual LAN, or vlan for short, allows partitioning the network in a set of virtual networks, mutually isolated.

The TP-Link TL-WR740N contains four (4) LAN ports, all belonging to the same network. With VLANs, it is possible to configure those LAN ports in different manner, so that the device does not behave anymore as a switch on the 4 ports. For example, it would be possible to setup the two leftmost ports on a virtual LAN: devices connected into these ports would see each other, but would have no routing to devices plugged into the rightmost ports.

Full information on VLANs in OpenWrt can be found in the network interfaces document. This page includes information specific to the TL-WR740N router, configured with OpenWrt (Attitude Adjustment 12.09 release).

So this device supports 16 vlans, and the port 0 is the CPU port; ports 1,2,3,4 are associated to the 4 LAN connections on the back of the router.

To get the exact matching between ports and the labelling on the router, enter now:

swconfig dev switch0 show

And play with connecting cables to the LAN connections. For this router, I got the following allocation:

Port 0: CPU

Port 1: LAN 4

Port 2: LAN 1

Port 3: LAN 2

Port 4: LAN 3

With the existing configuration, there is a single virtual lan, with identity 0, identified as eth1.0 (or directly eth1).

To configure two virtual lans, one associated to the left ports (LAN 1, LAN 2 / ports 2 and 3), and other associated to the right ports (LAN 3, LAN 4 / ports 1 and 4), we use the following configuration:

config interface 'loopback'

option ifname 'lo'

option proto 'static'

option ipaddr '127.0.0.1'

option netmask '255.0.0.0'

config interface 'lan'

option ifname 'eth0.1'

option type 'bridge'

option proto 'static'

option ipaddr '192.168.1.1'

option netmask '255.255.255.0'

config interface 'landenver'

option ifname 'eth0.2'

option type 'bridge'

option proto 'static'

option ipaddr '192.168.2.1'

option netmask '255.255.255.0'

config interface 'wan'

option ifname 'eth1'

option proto 'dhcp'

config switch

option name 'eth0'

option reset '1'

option enable_vlan '1'

config switch_vlan 'eth0_1'

option device 'eth0'

option vlan '1'

option vid '1'

option ports '2 3 0t'

config switch_vlan 'eth0_2'

option device 'eth0'

option vlan '2'

option vid '2'

option ports '1 4 0t'

This creates an interface called lan associated to the first vlan (eth1.1), that is, to the ports labelled in the router as LAN 1, LAN2; it also creates the interface landenver associated to the second vlan (eth1.2), on the remaining router ports. Note that each interface uses a different set of LAN ports (2,3 vs 1,4) and both obviously communicate with the CPU (port 0). As both access the port 0, this is tagged (0t). Detailed information on this logic is included in the switch documentation on the OpenWRT wiki page.

With this configuration, entering now (after restarting the network with /etc/init.d/network restart:

swconfig dev switch0 show

Will output:

root@OpenWrt:/# swconfig dev switch0 show

Global attributes:

enable_vlan: 1

Port 0:

pvid: 0

link: port:0 link:up speed:1000baseT full-duplex txflow rxflow

Port 1:

pvid: 2

link: port:1 link:down

Port 2:

pvid: 1

link: port:2 link:down

Port 3:

pvid: 1

link: port:3 link:up speed:100baseT full-duplex auto

Port 4:

pvid: 2

link: port:4 link:down

VLAN 0:

vid: 0

ports: 0t

VLAN 1:

vid: 1

ports: 0t 2 3

VLAN 2:

vid: 2

ports: 0t 1 4

For this to fully work, we need to provide additional firewall rules, and setup dhcp for the new interface (landenver): enter in /etc/config/firewall the following new lines:

config zone

option name landenver

option network 'landenver'

option input ACCEPT

option output ACCEPT

option forward REJECT

and, in /etc/config/dhcp add now:

config dhcp landenver

option interface landenver

option start 200

option limit 250

option leasetime 12h

Time now to restart the network, and enjoy the different virtual lans: